Enterprise information security practitioners know better than to be seduced by over-hyped threats.
In the early days of 2011, mobile device attacks seem to be an emerging threat everybody wants to talk about. Cisco Systems Inc.'s 2010 Annual Security Report predicts attackers will increasingly target smartphones, tablets and other mobile devices that are making their way onto enterprise networks. Similarly, IBM predicts rising mobile threats because of the difficulty companies have extending their endpoint security management capabilities to mobile devices.
Many have long predicted a rise in mobile threats, and yet the attack landscape has changed only marginally. This is no doubt causing many to disregard the recent mobile security warnings. However, a word to the wise: Don't be fooled by what may seem to be another round of mobile threat hype, because there are key changes taking place this year that will make mobile device security a weakness to address.
Lisa Phifer, president of Chester Springs, Pa.-based security consultancy Core Competence Inc., said mobile malware in particular has been more hype than substance for many years, but the industry is on the precipice of a tipping point that could lead to some major, well-publicized mobile security incidents in 2011.
It used to be that mobile devices weren't lucrative targets for attackers because building malware for a single platform didn't bring enough potential victims, and altering that malware for use on multiple mobile platforms wasn't technically feasible or cost-effective. Not anymore.
"Actually, the attack surface is increasingly homogenous," Phifer said. "Now with Android and iOS, we have wildly popular and increasingly full-featured SDK APIs that make crafting code for a slew of handsets comparatively trivial."
Furthermore, Phifer noted that while overall sales of mobile devices of all types has skyrocketed in recent years, market share data from Canalys and NPD Group Inc. indicates that nearly seven out of every 10 mobile devices sold in the U.S. during Q3 2010 ran on either the iOS or Android platforms.
"I see this as creating a large, homogenous (two OS) attack surface that is -- better yet for malware writers -- largely unprotected by traditional endpoint security measures like antivirus, antispam and antiphishing," Phifer said.
Another underestimated lure for attackers is the increasing use of mobile devices as a second factor of authentication for enterprise systems, said Nick Lewis, an information security analyst for a large public Midwest university and SearchSecurity.com's expert-in-residence on information security threats.
"If malware can take over your second authentication factor," Lewis said, "that increases the potential for abuse of the authentication." He added that if mobile payment via handhelds becomes popular in the U.S. as it is in other countries, it could further drive attacks against mobile devices.
Still, Lewis acknowledged that, once again, the threat to mobile devices may be over-hyped, as most of the recent mobile exploit research lacks fundamentally new or innovative concepts. Plus, many newer mobile devices interact with data via apps that store that data in the cloud, not on the device itself. The biggest threat to mobile devices, he said, remains physical theft or loss of a device, which can often be countered with a PIN or other basic security.
Time will soon tell whether this latest round of mobile device security hype proves to be more than that. But for now, what's the takeaway? As Phifer said, expect a wave of new mobile device attacks, and "quite possibly [there are] incidents that are already underway, but we just haven't detected them yet."
About the author:
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can also be heard on SearchSecurity.com's Security Squad podcast.